I am not sure which rule that is and if this helps but I have had decent success in using an old Bleeding Edge rule to detect Skype. According to the author it shouldn't detect newer versions but I recall I was still successful in detecting newer versions of Skype with it, even the MySpace/Skype IM client. I never fully verified which versions of everything though. http://marc.info/?l=snort-sigs&m=111396037710323&w=1
On Thu, Apr 2, 2009 at 7:42 AM, Raffi Jamgotchian <[email protected]>wrote: > It does use upnp by default. They use their own implementation of it > > ---- > Raffi > > On Apr 2, 2009, at 3:16 AM, Michel Lundell <[email protected]> wrote: > > > Hi l33t folks! > > > > Does skype add a external port using upnp? > > (and to the port 4444!!!?) > > The port number seemes familiar ,o), also the AddPortMapping ... > > > > This is a incident right? or does skype do this on the windows > > platform? > > Cant detect this behaviour on a linux box... > > > > Scanned the router, but nmap did not detect any open port, so it may > > failed or was closed when I performed the scan... maybe it failed? > > > > I have not permission to access the router config yet.... > > > > /M > > > > #(26 - 8149) [2009-03-30 07:38:46] [local/100021] [snort/1:100021] > > to router traffic alert > > IPv4: 192.168.1.2 -> 192.168.0.254 > > hlen=5 TOS=0 dlen=903 ID=16342 flags=0 offset=0 TTL=128 > > chksum=13386 > > TCP: port=61432 -> dport: 4444 flags=***AP*** seq=1705820595 > > ack=1383450833 off=5 res=0 win=64240 urp=0 chksum=15790 > > Payload: POST /wipconn HTTP/1.0<DIV class="nonascii">[2 non-ASCII > > characters]</DIV>Host: 192.168.0.254:4444<DIV class="nonascii">[2 > > non-ASCII characters]</DIV>Content-Type: text/xml; > > charset="utf-8"<DIV class="nonascii">[2 non-ASCII characters]</ > > DIV>SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection: > > 1#AddPortMapping"<DIV class="nonascii">[2 non-ASCII characters]</ > > DIV>Connection: close<DIV class="nonascii">[2 non-ASCII characters]</ > > DIV>Content-Length: 653<DIV class="nonascii">[4 non-ASCII > > characters]</DIV><?xml version="1.0" encoding="utf-8"?><DIV > > class="nonascii">[2 non-ASCII characters]</DIV><s:Envelope xmlns:s=" > http://schemas.xmlsoap.org/soap/envelope/ > > " s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><DIV > > class="nonascii">[2 non-ASCII characters]</ > > DIV><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp- > > org:service:WANIPConnection:1"><DIV class="nonascii">[2 non-ASCII > > characters]</DIV><NewRemoteHost></NewRemoteHost><DIV > > class="nonascii">[2 non-ASCII characters]</ > > DIV><NewExternalPort>6895</NewExternalPort><DIV class="nonascii">[2 > > non-ASCII characters]</DIV><NewProtocol>TCP</NewProtocol><DIV > > class="nonascii">[2 non-ASCII characters]</ > > DIV><NewInternalPort>6895</NewInternalPort><DIV class="nonascii">[2 > > non-ASCII characters]</DIV><NewInternalClient>192.168.1.2</ > > NewInternalClient><DIV class="nonascii">[2 non-ASCII characters]</ > > DIV><NewEnabled>1</NewEnabled><DIV class="nonascii">[2 non-ASCII > > characters]</DIV><NewPortMappingDescription>Skype TCP at > > 192.168.1.2:6895 (819)</NewPortMappingDescription><DIV > > class="nonascii">[2 non-ASCII characters]</DIV><NewLeaseDuration>0</ > > NewLeaseDuration><DIV class="nonascii">[2 non-ASCII characters]</ > > DIV></u:AddPortMapping></s:Body></s:Envelope><br><br> > > > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
